Impacted configurations: All smart contract wallets established using Ethereum Wallet Frontier, version 0.4.0 (Beta 7) or earlier. Wallets created with Ethereum Wallet 0.5.0 and all subsequent releases after March 3, 2016, are unaffected.
Probability: Low
Impact Level: High
Overview:
Refrain from utilizing wallet contracts or the owner accounts of wallets that were generated by Ethereum Wallet 0.4.0 or earlier. Engaging with a malicious contract may result in loss of ownership of your wallet contract. Establish a new wallet and transfer your assets.
How to ensure maximum security??
Avoid using compromised wallet contracts, AND the associated owner accounts of these wallets when sending ether or interacting with unfamiliar contracts!
If you refrain from using these accounts and wallets, and upgrade your wallet as outlined here, you will be safe!
Details:
A vulnerability was identified that influences smart contract wallets created before the Homestead release (Frontier phase). The risk arises if an affected wallet engages with a malicious contract OR if the owner account of a compromised wallet connects with a malicious contract that is aware of their wallet address. An attacker can then mimic the owner, allowing them to misappropriate funds or tokens and alter the ownership of the wallet.
As long as you do not use your wallet and owner accounts with unfamiliar contracts, you are secure!
Receiving Ether and sending Ether to non-contract accounts is permissible.
Moreover, if your wallet is set up with multisig, your security is enhanced, as the attacker would need to compel all owners to send to malicious contract(s).
Recommended solution:
We advise that if you established a wallet using the affected versions, you undertake one of these measures:
- Establish a new wallet using the most recent version of Ethereum Wallet (any version from 0.5.0 or later) and transfer your assets there. You can follow these instructions.
- Until you complete the above, do not utilize any account that is an owner of an affected wallet, or the affected wallet itself to interact with closed source or otherwise unknown contracts that might invoke arbitrary actions (including rerouting Ether). Only send/interact with addresses you own, or recognize!
- Create a secondary account for daily usage. This account should not be linked to your contract wallets
We have introduced a new Ethereum Wallet release 0.7.6, which will recognize your vulnerable wallets.